1. Field
The present invention is related to behavioral-based threat detection.
2. Description of the Related Art
There exists within the art of anti-malware many methods for inspection of run time behaviors of applications, executables and processes. Based upon the behaviors of said objects, policy decisions can be made about the legitimacy of the application and execution halted and changes reversed to prevent damage, unauthorized access and so on. Behavioral inspection is used as a means of malware detection due to the increasing propensity for malware authors to obfuscate and randomize content, making conventional deterministic content-based analysis mechanisms increasingly ineffective. Existing behavioral monitoring systems have been with a database of actions and resources that are blacklisted and indicate malicious intent. During run time, if a given process, application or executable (perhaps being manipulated while the content of the executable itself is legitimate or where interpreting malicious data causes unintended and malicious behavior in a legitimate entity) performs any one of the actions in the list of negative actions the process may be identified as malicious and terminated or the administrator alerted. To avoid false positives, these existing implementations may also have exception lists for rules based on known processes and behaviors.
Behavioral inspection is already a corner stone of modern malware protection; however these implementations are limited in their ability to remediate and to differentiate between minor events and definitive malicious activity exhibited by a known class of malware. This makes driving simple remediation challenging as the process can be killed, but any other potential files and alike remain untouched (and unassociated with the event).